Shmoocon in review
Posted Tue, 27 Mar 2007
This was my first Shmoocon. It's like Defcon but with less debauchery, more clueful presentations, more interesting people, less disinteresting people etc. Defcon is more about getting plastered, gambling, general debauchery, and using presentations as an excuse not to drink. In short, Shmoocon is better technical conference.
I flew out on Tuesday because I wanted to take a full week off of work. wxs and I needed to put more time into the puzzles, so I didn't have to kill time by sleeping or visiting landmarks. Time was spent sleeping, working on puzzles, eating, and playing Mario Kart on wxs's Wii.
The conference itself was more or less what I had expected. When I attend conferences, I usually end up spending more time out of the sessions than in them, due to my opinion that lots of talks are super boring. The topic usually sounds neat, but the presentation style sucks or the content is worthless. My favorite part of conferences is the side channel stuff.
This year's Shmoocon broke tradition and made the NOC open and availabile to anyone this year. I'm sad I didn't get a chance to go in and find out how they setup the network. They had "Shmoocon Labs" prior to the event which invited staff and attendees to come and set up the network the day prior to the conference. Sweet idea, but crazy (Let's setup a network for 1000 people in less than a day).
On to presentations! The Jikto talk was cool in that it was code manifestation of already-known vulnerabilities exposed by AJAX, XSS, and web proxies. The speaker accidentally showed the url where the source code lives when he did 'view source' for a few seconds during a demo. Of course, a fair portion of the room scribbled down the url and downloaded it; oops.
My favorite talk was the "No tech hacking" talk. The material was, like Jikto, simply an application of known techniques. In this case, it was social engineering and observation. The style was very engaging. The whole point seemed to be that hacking people is stupid easy because most people have credential and other items visibly on the outside.
I went to a talk about using entropy for statistical analysis, but the first 5 minutes of it were *really* slow and I pretty much got the idea of what the presenter was talking about in that time, so I left to find other things to do.
Hack or Halo. This year the hack was different. It was security/hack-type puzzles instead of the previous year of "exploit these machines as fast as possible". The puzzles ranged from sudoku to lanman hash cracking to port knocking. We had a total of 22 (ish?) puzzles, and only three went unsolved across all of the players
Prior to hack or halo, wxs and I were doing some final checks on the puzzles. We booted the machine and found immediately that none of the vmware instances would start. The folder 'C:\Virtual Machines' was permanently stuck in 'read only' mode. Unchecking 'read only' in the permissions box didn't fix it (it kept resetting to 'read only' again).
What now? Zoom back another day, when wxs and I were finishing the puzzles. My spider sense told me to back up the vmware images before shutting down, so I had wxs back them up to his laptop. He copied them over from his laptop after we realized the vmware images on the hack server weren't good anymore. They worked fine. Thank god for backups.
Other than that hitch, the hack portion of the competition went off without any problems at all. Whew. I have lots of pictures posted on flickr from the competition, greater Shmoocon, and shenanigans at the parties.
As far as conference work goes, working on HoH was pretty great. The other options for working Shmoocon seemed to be NOC or physical security. NOC stuff would've been fun, since it would let you play with the new fancy security network gear being tested or generally using gear I don't have access to on a normal basis. HoH didn't take too much of my time during the con, so it was totally worth it.
HoH was awesome, and I'm considering doing it next year. If you weren't there, you missed a great conference.